LDAP Service

From Tardis
Jump to: navigation, search
This page is out of date and needs rewriting.
The content is likely to be incomplete or incorrect.
  • Runs on piper - piper.tardis.ed.ac.uk
  • There is also an alias, ldap.tardis.ed.ac.uk.


(Usual caveats; stuff might have changed, pay attention, etc)

Install slapd, and optionally ldap-utils and ldapvi (should you want to be able to try it out from the server). The slapd package attempts to be helpful, asking a bunch of configuration questions and starting the service. Curiously, I didn't see the "don't configure slapd for me" as one of the options first time around and needed to reconfigure the package. Say "yes" to "Omit OpenLDAP server configuration?".

piper:~# /etc/init.d/slapd stop
piper:~# dpkg-reconfigure slapd

Keep a copy of the default configuaration in case someone wants to see how Debian configures stuff, and copy across the main configuration file, the SSL files and the schema files that don't ship with OpenLDAP. (You might want to check this stuff, as some of it can probably be chucked. Actually, I just turfed krb5-kdc.schema because we don't use it and it suffered parsing errors. An old piece of syntax in the configuration file needed fixed too.)

piper:~# cd /etc/ldap
piper:/etc/ldap# cp slapd.conf slapd.conf.dpkg
piper:/etc/ldap# mkdir -p /etc/ssl/certs

root@baker:~# cd /etc/ldap
root@baker:/etc/ldap# scp slapd.conf root@piper:/etc/ldap
root@baker:/etc/ldap# scp /etc/ssl/certs/ldapcert.pem /etc/ssl/certs/ldapkey.pem  root@piper:/etc/ssl/certs
root@baker:/etc/ldap# scp /etc/ssl/cacert.pem  root@piper:/etc/ssl/
root@baker:/etc/ldap/schema# scp amd.schema courier.schema krb5-kdc.schema tardis.schema root@piper:/etc/ldap/schema

Also, edit /etc/default/slapd to enable all the methods of connecting by putting in the line

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

At this point it should start and stop without moaning about syntax errors. If not, see if you can fix them.

piper:/etc/ldap# /etc/init.d/slapd start
Starting OpenLDAP: running BDB recovery, slapd.
piper:/etc/ldap# /etc/init.d/slapd stop 
Stopping OpenLDAP: slapd.

Now grab a recent backup, comment out the "search" and "result" lines at the end (because the backups are generated by ldapsearch, but we're going to import them with slapadd), clear out the old database and import the backup:

piper:/etc/ldap# cp <whereever>/backup-20060225.ldif /tmp/backup-20060225.ldif
piper:/etc/ldap# vi /tmp/backup-20060225.ldif

<comment out search and result lines near end>

piper:/etc/ldap# cd /var/lib/ldap
piper:/var/lib/ldap# mkdir old
piper:/var/lib/ldap# mv * old
mv: cannot move `old' to a subdirectory of itself, `old/old'
piper:/var/lib/ldap# slapadd -l /tmp/backup-20060225.ldif
piper:/var/lib/ldap# /etc/init.d/slapd start

Now you can test it.

The backup script

The backup script had to be moved to the new server:

piper:~# mkdir -p ldap/backups
piper:~# chmod og-rwx ldap 

baker:~# scp bin/backupldap bin/ldappasswd root@piper:/root/ldap
backupldap                                    100%  254     0.3KB/s   00:00
ldappasswd                                    100%    7     0.0KB/s   00:00

A cron job needs to be added for it, and the old cron job on the old server needs to be removed because it stores the backups in the same place!


For the baker to piper move, I used the replog option on the old server to watch for changes and grabbed a fresh backup copy and imported it as above. There were no changes on the old server (changes to our LDAP database are infrequent), so I no further synchronisation was required.

For future synchronisation, the built in LDAP Sync support in the current versions of OpenLDAP will probably be easier.

Useful stuff

To watch for attempts to use the old server you can use the debugging support in OpenLDAP. Sticking -d 260 on to the normal slapd command line worked well for me.

Files that may need updated to point to a new server: